Debian is shutting down its public FTP services

If you're one of the few people still using FTP to access the Debian repositories, the time has come to move on: FTP service will be shut down at the beginning of November.

From:		Cédric Boutillier <boutil-AT-debian.org>
To:		debian-announce-AT-lists.debian.org
Subject:		Shutting down public FTP services
Date:		Tue, 25 Apr 2017 15:19:01 +0200
Message-ID:		<20170425131901.f64ltdn2p66774c4@shiraz.lpma-paris.fr>

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Shutting down public FTP services                       press@debian.org
April 25th, 2017               https://www.debian.org/News/2017/20170425
------------------------------------------------------------------------


After many years of serving the needs of our users, and some more of
declining usage in favor of better options, all public-facing debian.org
FTP services will be shut down on November 1, 2017. These are:

  * ftp://ftp.debian.org
  * ftp://security.debian.org

This decision is driven by the following considerations:

  * FTP servers have no support for caching or acceleration.
  * Most software implementations have stagnated and are awkward to use
    and configure.
  * Usage of the FTP servers is pretty low as our own installer has not
    offered FTP as a way to access mirrors for over ten years.
  * The protocol is inefficient and requires adding awkward kludges to
    firewalls and load-balancing daemons.


Information for users
---------------------

The DNS names ftp.debian.org and ftp.<CC>.debian.org will remain the
same. The mirrors should just be accessed using HTTP instead:

  * http://ftp.debian.org
  * http://security.debian.org


Information for developers
--------------------------

Our developer services will not be affected. These are the upload queues
for both the main and the security archive:

  * ftp://ftp.upload.debian.org
  * ftp://security-master.debian.org


About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
mirror team at their public mailing list
<debian-mirrors@lists.debian.org>.

Debian is shutting down its public FTP services

Posted Apr 25, 2017 15:23 UTC (Tue) by jgg (subscriber, #55211) [Link] (9 responses)

Wow, this is amazing, I first implemented HTTP for the Debian archive, server side and client side, then pushed the mirrors over to rsync back in around 1997.. So 20 years later we see FTP finally shut off! Quite the deprecation curve there..

Debian is shutting down its public FTP services

Posted Apr 25, 2017 17:52 UTC (Tue) by epa (subscriber, #39769) [Link] (8 responses)

What's more surprising is that after two decades there still isn't a good enough alternative to FTP for uploading files.

Debian is shutting down its public FTP services

Posted Apr 25, 2017 19:21 UTC (Tue) by flussence (guest, #85566) [Link]

There's the rarely-used sftp(1) command that comes with OpenSSH. I'm not sure how well (or if) it handles anonymous users—you may be stuck with HTTP there—but otherwise it feels the same as a normal command-line ftp client.

Debian is shutting down its public FTP services

Posted Apr 26, 2017 5:47 UTC (Wed) by mbunkus (subscriber, #87248) [Link] (5 responses)

Use SFTP. If you are concerned about the lack of configuration options for the OpenSSH implementation, use a different one,for example ProFTPd which can not only do the old FTP but SFTP, too. There are clients for all OS and then some. The only thing missing is built-in support in Windows.

Debian is shutting down its public FTP services

Posted Apr 26, 2017 8:45 UTC (Wed) by epa (subscriber, #39769) [Link] (1 responses)

I'm aware of SFTP but, as you can see, it hasn't reached the point of being good enough to replace FTP. The Debian project consists of some of the most technically able people on the planet, and puts a high emphasis on security and "doing the right thing". If even Debian still needs to use FTP to upload files because it hasn't been able to switch Debian developers over to some alternative like SFTP, what hope is there for those with a less technical userbase?

Debian is shutting down its public FTP services

Posted Apr 26, 2017 12:39 UTC (Wed) by pabs (subscriber, #43278) [Link]

SFTP is available for Debian members, maintainers only have FTP uploads at this point. We haven't really made any concerted effort to switch to SFTP for uploads though.

Debian is shutting down its public FTP services

Posted Apr 26, 2017 18:05 UTC (Wed) by HenrikH (subscriber, #31152) [Link] (2 responses)

It's a pain for scripts though since you must use expect instead of supplying username+password as parameters and on the download side there is no support in wget and the binary version of cURL on (at least on Ubuntu) is built without support for SFTP.

Debian is shutting down its public FTP services

Posted Apr 30, 2017 19:31 UTC (Sun) by derobert (subscriber, #89569) [Link]

You can use public key authentication with sftp (the authentication is being done by ssh). That's both easier in a script and more secure than a password on the command line.

(Remember in the default kernel configuration, password on the command line shows in ps).

If you really want to write a password in a file, I think lftp (which is also an sftp client) will let you...

Debian is shutting down its public FTP services

Posted May 1, 2017 1:04 UTC (Mon) by jwoithe (subscriber, #10521) [Link]

I was looking into sftp support in various clients a couple of years ago. cURL's sftp implementation relies on libssh2; if this is present on the system at compilation time then cURL can include sftp support.

Debian is shutting down its public FTP services

Posted Apr 27, 2017 13:14 UTC (Thu) by itvirta (guest, #49997) [Link]

I was going to say something about implementing `wput` to use HTTP PUT requests to send files.
But apparently a program by that name already exists, and it does FTP...

Debian is shutting down its public FTP services

Posted Apr 25, 2017 21:17 UTC (Tue) by vstinner (subscriber, #42675) [Link] (2 responses)

Are Debian FTP masters fired or recalled HTTP masters? :-)

Debian is shutting down its public FTP services

Posted Apr 26, 2017 9:46 UTC (Wed) by pochu (subscriber, #61122) [Link]

We should have a General Resolution to vote on this issue

Debian is shutting down its public FTP services

Posted Apr 26, 2017 14:30 UTC (Wed) by epa (subscriber, #39769) [Link]

As long as they are just playing at being masters in private, there is no reason for them to be kicked out of the project.